Tangerine 2-FA is Here

thelasthunter wrote: ↑ Got an email saying "Good news! As part of our commitment to keeping your money and personal information safe, we’ve launched 2‑Step Authentication. - a security feature designed with your peace of mind, in mind!"

I've been waiting for it since December. Tangerine did not provide a date for the launch. As most suspected, it's 2-FA via SMS, which is still vulnerable to sim card swaps. But it's still better than just having login/password/secret questions. Also, the email mentions that alternative 2-FA methods will come in the future...of course with no date provided!

IMO they should still have kept secret questions with the 2-FA (on an unregistered computer for example). Also, I hope Tangerine is not allowing password resets via SMS because that would be a huge vulnerability.

Still, I guess this is progress and better than nothing.

mech9t5 wrote: ↑ i dont' see anywhere I can enable this.

Kiraly wrote: ↑ Oh good lord, PLEASE let this not be every goddamn time you log in.

Kiraly wrote: ↑ Oh good lord, PLEASE let this not be every goddamn time you log in.

ml88888888 wrote: ↑ SMS only? they assume everyone has a cell phone and free to receive text. Why not email option.

Kiraly wrote: ↑ I would be much happier if Tangerine, instead of implementing this, would let us choose login passwords that are not limited to 4 or 6 DIGITS.

thelasthunter wrote: ↑ Why not both? Even the most complicated passwords are useless if someone hacks into your password manager

Kiraly wrote: ↑ And 2FA is useless if someone steals your phone number, which really isn't all that hard for hackers to do. I really believe that SMS 2FA really isn't as secure as many people make it out to be, and certainly not secure enough for me to have to put up with it every time I log in. I won't be enabling it with Tangerine just like I haven't turned it on with any other service. Now if the CRA would get rid of this requirement for me to do it EVERY TIME I log in, it would make my day.

thelasthunter wrote: ↑ You are not required to use 2-FA every time you login. You can select the option of only unregistered computers being required to do so.

Of course, you're right in saying that SMS 2-FA is not very secure. It essentially downloads our banking security to the telco providers, and they are clearly not in the banking business nor have that level of security infrastructre (although with pathetic Canadian banks, that's debatable). However, it's still widely considered better than just login/pass. The login for Tangerine is the bank card number, which is exceptionally unsecure imo. In a lot of cases that is the visa debit card number that many people will shop with online or use in stores.

mech9t5 wrote: ↑ I would agree that SMS 2FA is better than not having any 2FA but it depends on how they implement the password reset. Previous implementations of SMS 2FA with other organizations have allowed users to reset the password by confirming via SMS alone. That is super insecure and if that's how it is implemented, I would not turn it on either. I'm guessing these companies have learned their lesson.

thelasthunter wrote: ↑ Yup, I agree, that is a huge loophole in some SMS-2FA. Even if hackers swapped my sim card, they'd still need my login/pass to breach the account. With the SMS pass reset that barrier disappears. One of the reasons I created this thread is to find out if this is the case with Tangerine. If it is, I would disable the SMS 2-FA.

Right now, as far as I can tell, they don't allow SMS pass resets. When I click on "forgot my pin" I am asked to put in my SIN, birth date and answer security questions. I wonder if the SMS reset follows those.

rhw123 wrote: ↑ On a related note, with CIBC you can now set up to receive the 2FA code in the CIBC mobile app.

thelasthunter wrote: ↑ You are not required to use 2-FA every time you login. You can select the option of only unregistered computers being required to do so.

Of course, you're right in saying that SMS 2-FA is not very secure. It essentially downloads our banking security to the telco providers, and they are clearly not in the banking business nor have that level of security infrastructre (although with pathetic Canadian banks, that's debatable). However, it's still widely considered better than just login/pass. The login for Tangerine is the bank card number, which is exceptionally unsecure imo. In a lot of cases that is the visa debit card number that many people will shop with online or use in stores.